Collecting crypto VPN traffic info from Cisco routers

Cisco crypto site to site VPNs are quite useful but it is difficult to collect traffic stats when there is no virtual interface for SNMP to track. Instead the stats are held in the Cisco SNMP mibs in various places and you have to cross-reference between those places to work out which SNMP entry refers to which VPN tunnel. This gets harder the more tunnels you have from your router.

With this in mind I’ve created a WhatsUp performance monitor script to collect the traffic receive (rx) and transmit (tx) stats through SNMP. You’ll need to grab the Cisco router mibs and install them into the WhatsUp mibs directory first before this script will work.

On the Cisco side you’ll be setting up a vpnmap entry such as this one:

The crypto map number is useful as this is how the script finds the correct VPN tunnel in SNMP:

'The remote peerstrVPNMapNumber="141"

The other variable to alter is whether the statistic to be collected is receive (rx) or transmit (tx) with respect to the router being polled. This is specified by this line:

' The direction of traffic (rx or tx)strDirection="rx"

How the script works

The script gets a list of all the ipsec tunnels (get_ipsecTunnel_list) which is held at SNMP OID 1.3.6.1.4.1.9.9.172.1.2.1.1.3. It looks down the list for entries which relate to the vpnmap number, 141 in this case and compiles a list of entries. This list is then used to collect the receive or transmit statistics and add the values together for each ipsec tunnel associates with that isakmp tunnel (there can be many ipsec tunnels per isakmp tunnel depending on your match acl setup).